APPSEC IN A CONTAINER WORLD
AKASH MAHAJAN - DIRECTOR APPSECCO
Slide 2
Slide 2 text
WE NOW LIVE IN A CONTAINER WORLD
# Container(Camp|Conf|World)
Slide 3
Slide 3 text
IT/OPS AND DEVS ARE COMING TOGETHER
# devops
Slide 4
Slide 4 text
THERE IS A MAJOR SHIFT IN SECURITY
#SHIFTLEFT
Shannon Lietz (Keynote at DevSecCon Asia 2017)
Slide 5
Slide 5 text
APPSEC TESTING HAS TO BECOME PART OF
THE DEVOPS OR BE LEFT BEHIND
The reality is, Microsoft Security Dev Lifecycle is about 17 Years Old!
Slide 6
Slide 6 text
CONTAINERS ENABLE
SELF-SERVICE
AN IMPORTANT ASPECT OF
DEVOPS
Slide 7
Slide 7 text
CONTINUOUS *
PIPELINE MODE ON
CONTAINERS ENABLE INTEGRATION
AND DEPLOYMENT ON TAP
Slide 8
Slide 8 text
From http://stackoverflow.com/questions/28608015/continuous-integration-vs-continuous-delivery-vs-continuous-deployment
CHECK FOR SECURITY
1
2
3
4
Slide 9
Slide 9 text
CONTAINERS, APP SEC & OWASP
Slide 10
Slide 10 text
RELEVANT APPSEC RISKS FROM THE POINT OF VIEW OF CONTAINERS
OWASP Top 10 Issue What is that?
A1 Injection Stuff that harms the server
A2 Broken AuthN Stuff that lets attackers access parts of the
application, which allows them to upload stuff
that harms the server
A4 Insecure Direct Object Reference
A5 Security Misconfiguration
Stuff that makes the infra supporting the app
insecure
A9 Using components with Known
Vulnerabilities
Stuff that possibly enables any or all of the
above, due to using 3rd party stuff
Slide 11
Slide 11 text
A5 IS A SOLVED
PROBLEM, MAYBE!!
OWASP A5 - SECURITY
MISCONFIGURATION
Slide 12
Slide 12 text
PATCHED
UN-PATCHED
Slide 13
Slide 13 text
IMMUTABLE INFRASTRUCTURE FTW!!!
Akash Mahajan
THERE IS NO REASON TO HARDEN EVERY TIME, WE JUST START FROM SCRATCH AND TAKE THE LATEST PATCHED VERSION EVERY SINGLE TIME
Slide 14
Slide 14 text
A9 CAN BE SOLVED
WITH PRIVATE REPOS
& REGISTRIES MAYBE
OWASP A9 - USING COMPONENTS
WITH KNOWN VULNERABILITIES
Slide 15
Slide 15 text
SO WHAT IS YOUR SECURITY NIGHTMARE, KEEPING YOU AWAKE?
Slide 16
Slide 16 text
WHAT ABOUT
APPLICATION’S SECURITY?
Slide 17
Slide 17 text
WHAT IS THIS THAT IS GOING
TO BURST OUR BUBBLE?
15,000,000 RECORDS FOUND
BECAUSE MANAGEMENT HAD WEAK
PASSWORD ON APPLICATION
3000 PASSPORTS AND DRIVER’S
LICENSES LEAKED BECAUSE THE
CONTRACTOR DIDN’T RESET THE CEO’S
WEAK PASSWORD
ROOT ON RETAIL E-COMMERCE SERVER
BECAUSE OUTSOURCED VENDOR ALWAYS
USES COMPANY NAME AS CMS ADMIN
PASSWORD
Slide 18
Slide 18 text
TYPICALLY AT THIS POINT
PEOPLE TRY TO SOLVE
SECURITY BY
Slide 19
Slide 19 text
MONITORING IS NOT SECURITY
MONITORING IS NOT SECURITY
MONITORING IS NOT SECURITY
Slide 20
Slide 20 text
WHILE AUTHN AND AUTHZ GO A LONG WAY IN ENSURING SECURITY OF ACCESS
Slide 21
Slide 21 text
NO AMOUNT OF AUTOMATION CAN SOLVE BIZ LOGIC ISSUES
Slide 22
Slide 22 text
IF ALL YOUR PROCESS ALLOWS FOR IS A
FINAL SECURITY REVIEW, THEN
Slide 23
Slide 23 text
From http://stackoverflow.com/questions/28608015/continuous-integration-vs-continuous-delivery-vs-continuous-deployment
CHECK FOR SECURITY
1
2
3
4
AUTOMATED
AUTOMATED
AUTOMATED
NOT-AUTOMATED
Slide 24
Slide 24 text
WHAT CAN THIS NON-AUTOMATED
APPROACH LOOK LIKE?
IS THERE A CHECKLIST WE CAN FOLLOW?
Slide 25
Slide 25 text
Issues OWASP Top 10
Input based
A1, A3, A4, A8,
A10
Logic & Design
based
A2, A5, A6, A7
Access Control A2, A5, A6, A7
Any other A9
API Testing Can span multiple
TAKEAWAY